Practical Aspects of Modern Cryptography Autumn 2016 Tolga Acar Josh Benaloh

Fun with Public-Key Tonight we’ll … Introduce some basic tools of public-key crypto Combine the tools to create more powerful tools Lay the ground work for substantial applications November 17, 2018 Practical Aspects of Modern Cryptography

Challenge-Response Protocols November 17, 2018 Practical Aspects of Modern Cryptography

Challenge-Response Protocols One party often wants to convince another party that something is true … November 17, 2018 Practical Aspects of Modern Cryptography

Challenge-Response Protocols One party often wants to convince another party that something is true … … without giving everything away. November 17, 2018 Practical Aspects of Modern Cryptography

Proof of Knowledge “I know the secret key 𝑘.” November 17, 2018 Practical Aspects of Modern Cryptography

PoK: Method 1 November 17, 2018 Practical Aspects of Modern Cryptography

PoK: Method 1 Here is 𝑘. November 17, 2018 Practical Aspects of Modern Cryptography

PoK: Method 2 November 17, 2018 Practical Aspects of Modern Cryptography

PoK: Method 2 Here is a nonce 𝑐. November 17, 2018 Practical Aspects of Modern Cryptography

PoK: Method 2 Here is a nonce 𝑐. Here is the hash ℎ(𝑐,𝑘). November 17, 2018 Practical Aspects of Modern Cryptography

Traditional Proofs November 17, 2018 Practical Aspects of Modern Cryptography

Traditional Proofs I want to convince you that something is true. November 17, 2018 Practical Aspects of Modern Cryptography

Traditional Proofs I want to convince you that something is true. I write down a proof and give it to you. November 17, 2018 Practical Aspects of Modern Cryptography

Interactive Proofs We engage in a dialogue at the conclusion of which you are convinced that my claim is true. November 17, 2018 Practical Aspects of Modern Cryptography

Graph Isomorphism November 17, 2018 Practical Aspects of Modern Cryptography

Graph Isomorphism B C A E D November 17, 2018 Practical Aspects of Modern Cryptography

Graph Isomorphism B C A A E D C D B E November 17, 2018 Practical Aspects of Modern Cryptography

IP of Graph Isomorphism November 17, 2018 Practical Aspects of Modern Cryptography

IP of Graph Isomorphism Generate, say, 100 additional graphs isomorphic to G1 (and therefore also isomorphic to G2). November 17, 2018 Practical Aspects of Modern Cryptography

IP of Graph Isomorphism November 17, 2018 Practical Aspects of Modern Cryptography

IP of Graph Isomorphism November 17, 2018 Practical Aspects of Modern Cryptography

IP of Graph Isomorphism Accept a single bit challenge “L/R” for each of the 100 additional graphs. November 17, 2018 Practical Aspects of Modern Cryptography

IP of Graph Isomorphism Accept a single bit challenge “L/R” for each of the 100 additional graphs. Display the indicated isomorphism for each of the additional graphs. November 17, 2018 Practical Aspects of Modern Cryptography

IP of Graph Isomorphism November 17, 2018 Practical Aspects of Modern Cryptography

IP of Graph Isomorphism L H2 R H3 G1 R G2 H100 L November 17, 2018 Practical Aspects of Modern Cryptography

IP of Graph Isomorphism November 17, 2018 Practical Aspects of Modern Cryptography

IP of Graph Isomorphism November 17, 2018 Practical Aspects of Modern Cryptography

IP of Graph Isomorphism If graphs G1 and G2 were not isomorphic, then the “prover” would not be able to show any additional graph to be isomorphic to both G1 and G2. November 17, 2018 Practical Aspects of Modern Cryptography

IP of Graph Isomorphism If graphs G1 and G2 were not isomorphic, then the “prover” would not be able to show any additional graph to be isomorphic to both G1 and G2. A successful false proof would require the prover to guess all 100 challenges in advance: probability 1 in 2100. November 17, 2018 Practical Aspects of Modern Cryptography

Fiat-Shamir Heuristic November 17, 2018 Practical Aspects of Modern Cryptography

Fiat-Shamir Heuristic Instead of challenge bits being externally generated, they can be produced by applying a one-way hash function to the full set of additional graphs. November 17, 2018 Practical Aspects of Modern Cryptography

Fiat-Shamir Heuristic Instead of challenge bits being externally generated, they can be produced by applying a one-way hash function to the full set of additional graphs. This allows an interactive proof to be “published” without need for interaction. November 17, 2018 Practical Aspects of Modern Cryptography

IP of Graph Non-Isomorphism November 17, 2018 Practical Aspects of Modern Cryptography

IP of Graph Non-Isomorphism November 17, 2018 Practical Aspects of Modern Cryptography

IP of Graph Non-Isomorphism A verifier can generate 100 additional graphs, each isomorphic to one of G1 and G2 , and present them to the prover. November 17, 2018 Practical Aspects of Modern Cryptography

IP of Graph Non-Isomorphism A verifier can generate 100 additional graphs, each isomorphic to one of G1 and G2 , and present them to the prover. The prover can then demonstrate that the graphs are not isomorphic by identifying which of G1 and G2 each additional graph is isomorphic to. November 17, 2018 Practical Aspects of Modern Cryptography

IP of Graph Non-Isomorphism November 17, 2018 Practical Aspects of Modern Cryptography

IP of Graph Non-Isomorphism November 17, 2018 Practical Aspects of Modern Cryptography

IP of Graph Non-Isomorphism November 17, 2018 Practical Aspects of Modern Cryptography

Proving Something is a Square November 17, 2018 Practical Aspects of Modern Cryptography

Proving Something is a Square Suppose I want to convince you that 𝑌 is a square modulo 𝑁. [There exists an 𝑋 such that 𝑌 = 𝑋 2 mod 𝑁 .] November 17, 2018 Practical Aspects of Modern Cryptography

Proving Something is a Square Suppose I want to convince you that 𝑌 is a square modulo 𝑁. [There exists an 𝑋 such that 𝑌 = 𝑋 2 mod 𝑁 .] First approach: I give you 𝑋. November 17, 2018 Practical Aspects of Modern Cryptography

An Interactive Proof 𝑌 𝑌1 𝑌2 𝑌3 𝑌4 𝑌5 𝑌100 November 17, 2018 Practical Aspects of Modern Cryptography

An Interactive Proof 𝑌 𝑌1 𝑌2 𝑌3 𝑌4 𝑌5 𝑌100 1 1 1 November 17, 2018 1 1 1 November 17, 2018 Practical Aspects of Modern Cryptography

An Interactive Proof 𝑌 𝑌1 𝑌2 𝑌3 𝑌4 𝑌5 𝑌100 1 1 1 𝑌1 𝑌3 𝑌4 1 1 1 𝑌1 𝑌3 𝑌4 November 17, 2018 Practical Aspects of Modern Cryptography

An Interactive Proof 𝑌 𝑌1 𝑌2 𝑌3 𝑌4 𝑌5 𝑌100 1 1 1 𝑌1 𝑌3 𝑌4 (𝑌2•𝑌) 1 1 1 𝑌1 𝑌3 𝑌4 (𝑌2•𝑌) (𝑌5•𝑌) (𝑌100•𝑌) November 17, 2018 Practical Aspects of Modern Cryptography

An Interactive Proof November 17, 2018 Practical Aspects of Modern Cryptography

An Interactive Proof In order for me to “fool” you, I would have to guess your exact challenge sequence. November 17, 2018 Practical Aspects of Modern Cryptography

An Interactive Proof In order for me to “fool” you, I would have to guess your exact challenge sequence. The probability of my successfully convincing you that 𝑌 is a square when it is not is 2 −100 . November 17, 2018 Practical Aspects of Modern Cryptography

An Interactive Proof In order for me to “fool” you, I would have to guess your exact challenge sequence. The probability of my successfully convincing you that 𝑌 is a square when it is not is 2 −100 . This interactive proof is said to be “zero-knowledge” because the challenger received no information (beyond the proof of the claim) that it couldn’t compute itself. November 17, 2018 Practical Aspects of Modern Cryptography

Applying Fiat-Shamir Once again, the verifier challenges can be simulated by the use of a one-way function to generate the challenge bits. November 17, 2018 Practical Aspects of Modern Cryptography

An Non-Interactive ZK Proof 𝑌 𝑌1 𝑌2 𝑌3 𝑌4 𝑌5 𝑌100 November 17, 2018 Practical Aspects of Modern Cryptography

An Non-Interactive ZK Proof 𝑌 𝑌1 𝑌2 𝑌3 𝑌4 𝑌5 𝑌100 1 1 1 where the bit string is computed as xxx = SHA-1(𝑌1, 𝑌2,…, 𝑌100) November 17, 2018 Practical Aspects of Modern Cryptography

An Non-Interactive ZK Proof 𝑌 𝑌1 𝑌2 𝑌3 𝑌4 𝑌5 𝑌100 1 1 1 𝑌1 𝑌3 𝑌4 November 17, 2018 Practical Aspects of Modern Cryptography

An Non-Interactive ZK Proof 𝑌 𝑌1 𝑌2 𝑌3 𝑌4 𝑌5 𝑌100 1 1 1 𝑌1 𝑌3 𝑌4 (𝑌2•𝑌) (𝑌5•𝑌) (𝑌100•𝑌) November 17, 2018 Practical Aspects of Modern Cryptography

Proving Knowledge Suppose that we share a public key consisting of a modulus 𝑁 and an encryption exponent 𝐸 and that I want to convince you that I have the corresponding decryption exponent 𝐷. How can I do this? November 17, 2018 Practical Aspects of Modern Cryptography

Proving Knowledge November 17, 2018 Practical Aspects of Modern Cryptography

Proving Knowledge I can give you my private key 𝐷. November 17, 2018 Practical Aspects of Modern Cryptography

Proving Knowledge I can give you my private key 𝐷. You can encrypt something for me and I decrypt it for you. November 17, 2018 Practical Aspects of Modern Cryptography

Proving Knowledge I can give you my private key 𝐷. You can encrypt something for me and I decrypt it for you. You can encrypt something for me and I can engage in an interactive proof with you to show that I can decrypt it. November 17, 2018 Practical Aspects of Modern Cryptography

A Proof of Knowledge 𝑌 November 17, 2018 Practical Aspects of Modern Cryptography

A Proof of Knowledge 𝑌 𝑌1 𝑌2 𝑌3 𝑌4 𝑌5 𝑌100 November 17, 2018 Practical Aspects of Modern Cryptography

A Proof of Knowledge 𝑌 𝑌1 𝑌2 𝑌3 𝑌4 𝑌5 𝑌100 1 1 1 November 17, 2018 1 1 1 November 17, 2018 Practical Aspects of Modern Cryptography

A Proof of Knowledge 𝑌 𝑌1 𝑌2 𝑌3 𝑌4 𝑌5 𝑌100 1 1 1 𝑌 1 𝐷 𝑌 3 𝐷 𝑌 4 𝐷 1 1 1 𝑌 1 𝐷 𝑌 3 𝐷 𝑌 4 𝐷 November 17, 2018 Practical Aspects of Modern Cryptography

A Proof of Knowledge 𝑌 𝑌1 𝑌2 𝑌3 𝑌4 𝑌5 𝑌100 1 1 1 𝑌 1 𝐷 𝑌 3 𝐷 𝑌 4 𝐷 1 1 1 𝑌 1 𝐷 𝑌 3 𝐷 𝑌 4 𝐷 (𝑌 2 •𝑌) 𝐷 (𝑌 5 •𝑌) 𝐷 (𝑌 100 •𝑌) 𝐷 November 17, 2018 Practical Aspects of Modern Cryptography

A Proof of Knowledge By engaging in this proof, the prover has demonstrated its knowledge of 𝑌 𝐷 – without revealing this value. If 𝑌 is generated by a challenger, this is compelling evidence that the prover possesses 𝐷. November 17, 2018 Practical Aspects of Modern Cryptography

Facts About Interactive Proofs Anything in PSPACE can be proven with a polynomial-time interactive proof. Anything in NP can be proven with a zero-knowledge interactive proof. November 17, 2018 Practical Aspects of Modern Cryptography

Secret Sharing November 17, 2018 Practical Aspects of Modern Cryptography

Secret Sharing Suppose that I have some data that I want to share amongst three people such that November 17, 2018 Practical Aspects of Modern Cryptography

Secret Sharing Suppose that I have some data that I want to share amongst three people such that any two can uniquely determine the data November 17, 2018 Practical Aspects of Modern Cryptography

Secret Sharing Suppose that I have some data that I want to share amongst three people such that any two can uniquely determine the data but any one alone has no information whatsoever about the data. November 17, 2018 Practical Aspects of Modern Cryptography

Secret Sharing Some simple cases: “AND” I have a secret value 𝑧 that I would like to share with Alice and Bob such that both Alice and Bob can together determine the secret at any time, but such that neither has any information individually. November 17, 2018 Practical Aspects of Modern Cryptography

Secret Sharing – AND Let 𝑧∈ ℤ 𝑚 = 0,1,…,𝑚−1 be a secret value to be shared with Alice and Bob. Randomly and uniformly select values 𝑥 and 𝑦 from ℤ 𝑚 subject to the constraint that 𝑥+𝑦 mod 𝑚 =𝑧. November 17, 2018 Practical Aspects of Modern Cryptography

Secret Sharing – AND The secret value is 𝑧=(𝑥+𝑦) mod 𝑚 . November 17, 2018 Practical Aspects of Modern Cryptography

Secret Sharing – AND The secret value is 𝑧=(𝑥+𝑦) mod 𝑚 . 𝑥 𝑦 November 17, 2018 Practical Aspects of Modern Cryptography

Secret Sharing – AND The secret value is 𝑧=(𝑥+𝑦) mod 𝑚 . 𝑥 𝑦 November 17, 2018 Practical Aspects of Modern Cryptography

Secret Sharing – AND The secret value is 𝑧=(𝑥+𝑦) mod 𝑚 . 𝑦 November 17, 2018 Practical Aspects of Modern Cryptography

Secret Sharing – AND The secret value is 𝑧=(𝑥+𝑦) mod 𝑚 . 𝑦 November 17, 2018 Practical Aspects of Modern Cryptography

Secret Sharing – AND The secret value is 𝑧=(𝑥+𝑦) mod 𝑚 . November 17, 2018 Practical Aspects of Modern Cryptography

Secret Sharing – AND The secret value is 𝑧=(𝑥+𝑦) mod 𝑚 . November 17, 2018 Practical Aspects of Modern Cryptography

Secret Sharing – AND The secret value is 𝑧=(𝑥+𝑦) mod 𝑚 . 𝑥 November 17, 2018 Practical Aspects of Modern Cryptography

Secret Sharing – AND The secret value is 𝑧=(𝑥+𝑦) mod 𝑚 . 𝑥 𝑦 November 17, 2018 Practical Aspects of Modern Cryptography

Secret Sharing – AND The secret value is 𝑧=(𝑥+𝑦) mod 𝑚 . 𝑥 𝑦 November 17, 2018 Practical Aspects of Modern Cryptography

Secret Sharing – AND This trick easily generalizes to more than two shareholders. November 17, 2018 Practical Aspects of Modern Cryptography

Secret Sharing – AND This trick easily generalizes to more than two shareholders. A secret 𝑆 can be written as 𝑆=(𝑠1+𝑠2+…+𝑠𝑛) mod 𝑚 for any randomly chosen integer values 𝑠1, 𝑠2, …, 𝑠𝑛 in the range 0≤𝑠𝑖<𝑚. November 17, 2018 Practical Aspects of Modern Cryptography

Secret Sharing Some simple cases: “OR” I have a secret value 𝑧 that I would like to share with Alice and Bob such that either Alice or Bob can determine the secret at any time. November 17, 2018 Practical Aspects of Modern Cryptography

Secret Sharing – OR The secret value is 𝑧. November 17, 2018 Practical Aspects of Modern Cryptography

Secret Sharing – OR The secret value is 𝑧. 𝑧 𝑧 November 17, 2018 Practical Aspects of Modern Cryptography

Secret Sharing – OR The secret value is 𝑧. 𝑧 𝑧 November 17, 2018 Practical Aspects of Modern Cryptography

Secret Sharing – OR The secret value is 𝑧. 𝑧 November 17, 2018 Practical Aspects of Modern Cryptography

Secret Sharing – OR The secret value is 𝑧. 𝑧 November 17, 2018 Practical Aspects of Modern Cryptography

Secret Sharing – OR The secret value is 𝑧. November 17, 2018 Practical Aspects of Modern Cryptography

Secret Sharing – OR The secret value is 𝑧. 𝑧 November 17, 2018 Practical Aspects of Modern Cryptography

Secret Sharing – OR The secret value is 𝑧. 𝑧 November 17, 2018 Practical Aspects of Modern Cryptography

Secret Sharing – OR This case also generalizes easily to more than two shareholders. November 17, 2018 Practical Aspects of Modern Cryptography

Secret Sharing More complex access structures … I want to share secret value 𝑧 amongst Alice, Bob, and Carol such that any two of the three can reconstruct 𝑧. 𝑆=(𝐴∧𝐵)∨(𝐴∧𝐶)∨(𝐵∧𝐶) November 17, 2018 Practical Aspects of Modern Cryptography

Secret Sharing A B A C B C OR AND AND AND November 17, 2018 Practical Aspects of Modern Cryptography

Secret Sharing 𝑧∈ ℤ 𝑚 A B A C B C OR AND AND AND November 17, 2018 Practical Aspects of Modern Cryptography

Secret Sharing 𝑧∈ ℤ 𝑚 𝑧 𝑧 𝑧 A B A C B C OR AND AND AND November 17, 2018 Practical Aspects of Modern Cryptography

Secret Sharing 𝑧∈ ℤ 𝑚 𝑧 𝑧 𝑧 𝑧1 𝑧2 𝑧3 𝑧4 𝑧5 𝑧6 A B A C B C OR AND AND November 17, 2018 Practical Aspects of Modern Cryptography

Threshold Schemes November 17, 2018 Practical Aspects of Modern Cryptography

Threshold Schemes I want to distribute a secret datum amongst 𝑛 trustees such that November 17, 2018 Practical Aspects of Modern Cryptography

Threshold Schemes I want to distribute a secret datum amongst 𝑛 trustees such that any 𝑘 of the 𝑛 trustees can uniquely determine the secret datum, November 17, 2018 Practical Aspects of Modern Cryptography

Threshold Schemes I want to distribute a secret datum amongst 𝑛 trustees such that any 𝑘 of the 𝑛 trustees can uniquely determine the secret datum, but any set of fewer than 𝑘 trustees has no information whatsoever about the secret datum. November 17, 2018 Practical Aspects of Modern Cryptography

Threshold Schemes OR 1 out of 𝑛 AND 𝑛 out of 𝑛 November 17, 2018 Practical Aspects of Modern Cryptography

Shamir’s Threshold Scheme Any 𝑘 points 𝑠 1 , 𝑠 2 , …, 𝑠 𝑘 in a field uniquely determine a polynomial 𝑃 of degree at most 𝑘−1 with 𝑃 𝑖 = 𝑠 𝑖 for 𝑖=1, 2,…,𝑘. This not only works of the reals, rationals, and other infinite fields, but also over the finite field ℤ 𝑝 = 0,1,…,𝑝−1 where 𝑝 is a prime. November 17, 2018 Practical Aspects of Modern Cryptography

Shamir’s Threshold Scheme To distribute a secret value 𝑠∈ ℤ 𝑝 amongst a set of 𝑛 Trustees 𝑇 1 , 𝑇 2 ,…, 𝑇 𝑛 such that any 𝑘 can determine the secret November 17, 2018 Practical Aspects of Modern Cryptography

Shamir’s Threshold Scheme To distribute a secret value 𝑠∈ ℤ 𝑝 amongst a set of 𝑛 Trustees 𝑇 1 , 𝑇 2 ,…, 𝑇 𝑛 such that any 𝑘 can determine the secret pick random coefficients 𝑎 1 , 𝑎 2 ,…, 𝑎 𝑘−1 ∈ ℤ 𝑝 November 17, 2018 Practical Aspects of Modern Cryptography

Shamir’s Threshold Scheme To distribute a secret value 𝑠∈ ℤ 𝑝 amongst a set of 𝑛 Trustees 𝑇 1 , 𝑇 2 ,…, 𝑇 𝑛 such that any 𝑘 can determine the secret pick random coefficients 𝑎 1 , 𝑎 2 ,…, 𝑎 𝑘−1 ∈ ℤ 𝑝 let 𝑃 𝑥 = 𝑎 𝑘−1 𝑥 𝑘−1 +…+ 𝑎 2 𝑥 2 + 𝑎 1 𝑥+𝑠 November 17, 2018 Practical Aspects of Modern Cryptography

Shamir’s Threshold Scheme To distribute a secret value 𝑠∈ ℤ 𝑝 amongst a set of 𝑛 Trustees 𝑇 1 , 𝑇 2 ,…, 𝑇 𝑛 such that any 𝑘 can determine the secret pick random coefficients 𝑎 1 , 𝑎 2 ,…, 𝑎 𝑘−1 ∈ ℤ 𝑝 let 𝑃 𝑥 = 𝑎 𝑘−1 𝑥 𝑘−1 +…+ 𝑎 2 𝑥 2 + 𝑎 1 𝑥+𝑠 give 𝑃(𝑖) to trustee 𝑇 𝑖 . November 17, 2018 Practical Aspects of Modern Cryptography

Shamir’s Threshold Scheme To distribute a secret value 𝑠∈ ℤ 𝑝 amongst a set of 𝑛 Trustees 𝑇 1 , 𝑇 2 ,…, 𝑇 𝑛 such that any 𝑘 can determine the secret pick random coefficients 𝑎 1 , 𝑎 2 ,…, 𝑎 𝑘−1 ∈ ℤ 𝑝 let 𝑃 𝑥 = 𝑎 𝑘−1 𝑥 𝑘−1 +…+ 𝑎 2 𝑥 2 + 𝑎 1 𝑥+𝑠 give 𝑃(𝑖) to trustee 𝑇 𝑖 . The secret value is 𝑠 = 𝑃(0). November 17, 2018 Practical Aspects of Modern Cryptography

Shamir’s Threshold Scheme The threshold 2 case: Example: Range = ℤ 11 = 0,1,…,10 , Secret = 9 November 17, 2018 Practical Aspects of Modern Cryptography

Shamir’s Threshold Scheme The threshold 2 case: Example: Range = ℤ 11 = 0,1,…,10 , Secret = 9 November 17, 2018 Practical Aspects of Modern Cryptography

Shamir’s Threshold Scheme The threshold 2 case: Example: Range = ℤ 11 = 0,1,…,10 , Secret = 9 (0,9) Secret November 17, 2018 Practical Aspects of Modern Cryptography

Shamir’s Threshold Scheme The threshold 2 case: Example: Range = ℤ 11 = 0,1,…,10 , Secret = 9 (0,9) Secret November 17, 2018 Practical Aspects of Modern Cryptography

Shamir’s Threshold Scheme The threshold 2 case: Example: Range = ℤ 11 = 0,1,…,10 , Secret = 9 (0,9) (1,7) Secret (2,5) Share 1 (3,3) Share 2 Share 3 November 17, 2018 Practical Aspects of Modern Cryptography

Shamir’s Threshold Scheme The threshold 2 case: Example: Range = ℤ 11 = 0,1,…,10 , Secret = 9 November 17, 2018 Practical Aspects of Modern Cryptography

Shamir’s Threshold Scheme The threshold 2 case: Example: Range = ℤ 11 = 0,1,…,10 , Secret = 9 (1,7) Share 1 November 17, 2018 Practical Aspects of Modern Cryptography

Shamir’s Threshold Scheme The threshold 2 case: Example: Range = ℤ 11 = 0,1,…,10 , Secret = 9 (1,7) Share 1 (3,3) Share 3 November 17, 2018 Practical Aspects of Modern Cryptography

Shamir’s Threshold Scheme The threshold 2 case: Example: Range = ℤ 11 = 0,1,…,10 , Secret = 9 (1,7) Share 1 (3,3) Share 3 November 17, 2018 Practical Aspects of Modern Cryptography

Shamir’s Threshold Scheme The threshold 2 case: Example: Range = ℤ 11 = 0,1,…,10 , Secret = 9 (0,9) (1,7) Secret Share 1 (3,3) Share 3 November 17, 2018 Practical Aspects of Modern Cryptography

Shamir’s Threshold Scheme The threshold 2 case: Example: Range = ℤ 11 = 0,1,…,10 November 17, 2018 Practical Aspects of Modern Cryptography

Shamir’s Threshold Scheme The threshold 2 case: Example: Range = ℤ 11 = 0,1,…,10 (1,7) Share 1 November 17, 2018 Practical Aspects of Modern Cryptography

Shamir’s Threshold Scheme The threshold 2 case: Example: Range = ℤ 11 = 0,1,…,10 (1,7) Share 1 (3,4) Share 3 November 17, 2018 Practical Aspects of Modern Cryptography

Shamir’s Threshold Scheme The threshold 2 case: Example: Range = ℤ 11 = 0,1,…,10 (1,7) Share 1 (3,4) Share 3 November 17, 2018 Practical Aspects of Modern Cryptography

Shamir’s Threshold Scheme The threshold 2 case: Example: Range = ℤ 11 = 0,1,…,10 (0,8.5) (1,7) Secret Share 1 (3,4) Share 3 November 17, 2018 Practical Aspects of Modern Cryptography

Shamir’s Threshold Scheme The threshold 2 case: Example: Range = ℤ 11 = 0,1,…,10 In ℤ 11 , 8.5 ≡ 17÷2 ≡ 6×6 ≡ 36 ≡ 3 (0,8.5) (1,7) Secret Share 1 (3,4) Share 3 November 17, 2018 Practical Aspects of Modern Cryptography

Shamir’s Threshold Scheme Two methods are commonly used to interpolate a polynomial given a set of points. November 17, 2018 Practical Aspects of Modern Cryptography

Shamir’s Threshold Scheme Two methods are commonly used to interpolate a polynomial given a set of points. Lagrange interpolation November 17, 2018 Practical Aspects of Modern Cryptography

Shamir’s Threshold Scheme Two methods are commonly used to interpolate a polynomial given a set of points. Lagrange interpolation Solving a system of linear equations November 17, 2018 Practical Aspects of Modern Cryptography

Lagrange Interpolation November 17, 2018 Practical Aspects of Modern Cryptography

Lagrange Interpolation For each point (𝑖, 𝑠 𝑖 ), construct a polynomial 𝑃 𝑖 with the correct value at 𝑖 and a value of zero at the other given points. November 17, 2018 Practical Aspects of Modern Cryptography

Lagrange Interpolation For each point (𝑖, 𝑠 𝑖 ), construct a polynomial 𝑃 𝑖 with the correct value at 𝑖 and a value of zero at the other given points. 𝑃 𝑖 𝑥 = 𝑠 𝑖 × 𝑗≠𝑖 (𝑥−𝑗) ÷ 𝑗≠𝑖 (𝑖−𝑗) November 17, 2018 Practical Aspects of Modern Cryptography

Lagrange Interpolation For each point (𝑖, 𝑠 𝑖 ), construct a polynomial 𝑃 𝑖 with the correct value at 𝑖 and a value of zero at the other given points. 𝑃 𝑖 𝑥 = 𝑠 𝑖 × 𝑗≠𝑖 (𝑥−𝑗) ÷ 𝑗≠𝑖 (𝑖−𝑗) Then sum the 𝑃 𝑖 𝑥 to compute 𝑃 𝑥 . November 17, 2018 Practical Aspects of Modern Cryptography

Lagrange Interpolation For each point (𝑖, 𝑠 𝑖 ), construct a polynomial 𝑃 𝑖 with the correct value at 𝑖 and a value of zero at the other given points. 𝑃 𝑖 𝑥 = 𝑠 𝑖 × 𝑗≠𝑖 (𝑥−𝑗) ÷ 𝑗≠𝑖 (𝑖−𝑗) Then sum the 𝑃 𝑖 𝑥 to compute 𝑃 𝑥 . 𝑃(𝑥)= 𝑖 𝑃 𝑖 𝑥 November 17, 2018 Practical Aspects of Modern Cryptography

Solving a Linear System November 17, 2018 Practical Aspects of Modern Cryptography

Solving a Linear System Regard the polynomial coefficients as unknowns. November 17, 2018 Practical Aspects of Modern Cryptography

Solving a Linear System Regard the polynomial coefficients as unknowns. Plug in each known point to get a linear equation in terms of the unknown coefficients. November 17, 2018 Practical Aspects of Modern Cryptography

Solving a Linear System Regard the polynomial coefficients as unknowns. Plug in each known point to get a linear equation in terms of the unknown coefficients. Once there are as many equations as unknowns, use linear algebra to solve the system of equations. November 17, 2018 Practical Aspects of Modern Cryptography

Verifiable Secret Sharing Secret sharing is very useful when the “dealer” of a secret is honest, but what bad things can happen if the dealer is potentially dishonest? Can measures be taken to eliminate or mitigate the damages? November 17, 2018 Practical Aspects of Modern Cryptography

Homomorphic Encryption Recall that with RSA, there is a multiplicative homomorphism. 𝐸 𝑥 𝐸 𝑦 ≡𝐸(𝑥𝑦) Can we find an encryption function with an additive homomorphism? November 17, 2018 Practical Aspects of Modern Cryptography

An Additive Homomorphism Can we find an encryption function for which the sum (or product) of two encrypted messages is the (an) encryption of the sum of the two original messages? 𝐸(𝑥)◦𝐸(𝑦)≡𝐸(𝑥+𝑦) November 17, 2018 Practical Aspects of Modern Cryptography

An Additive Homomorphism Recall the one-way function given by 𝑓(𝑥) = 𝑔𝑥 mod 𝑚. For this function, 𝑓(𝑥)𝑓(𝑦) mod 𝑚 = 𝑔𝑥𝑔𝑦 mod 𝑚 = 𝑔 𝑥+𝑦 mod 𝑚 = 𝑓(𝑥+𝑦) mod 𝑚. November 17, 2018 Practical Aspects of Modern Cryptography

Verifiable Secret Sharing November 17, 2018 Practical Aspects of Modern Cryptography

Verifiable Secret Sharing Select a polynomial with secret 𝑎 0 as 𝑃 𝑥 = 𝑎 𝑘−1 𝑥 𝑘−1 +⋯+ 𝑎 2 𝑥 2 + 𝑎 1 𝑥+ 𝑎 0 . November 17, 2018 Practical Aspects of Modern Cryptography

Verifiable Secret Sharing Select a polynomial with secret 𝑎 0 as 𝑃 𝑥 = 𝑎 𝑘−1 𝑥 𝑘−1 +⋯+ 𝑎 2 𝑥 2 + 𝑎 1 𝑥+ 𝑎 0 . Commit to the coefficients by publishing 𝑔 𝑎 0 , 𝑔 𝑎 1 , 𝑔 𝑎 2 , …, 𝑔 𝑎 𝑘−1 . November 17, 2018 Practical Aspects of Modern Cryptography

Verifiable Secret Sharing Select a polynomial with secret 𝑎 0 as 𝑃 𝑥 = 𝑎 𝑘−1 𝑥 𝑘−1 +⋯+ 𝑎 2 𝑥 2 + 𝑎 1 𝑥+ 𝑎 0 . Commit to the coefficients by publishing 𝑔 𝑎 0 , 𝑔 𝑎 1 , 𝑔 𝑎 2 , …, 𝑔 𝑎 𝑘−1 . Compute a commitment to 𝑃(𝑖) from public values as 𝑔 𝑃(𝑖) = 𝑔 𝑎 0 𝑖 0 𝑔 𝑎 1 𝑖 1 𝑔 𝑎 2 𝑖 2 ⋯ 𝑔 𝑎 𝑘−1 𝑖 𝑘−1 . November 17, 2018 Practical Aspects of Modern Cryptography

Verifiable Secret Sharing An important detail Randomness must be included to prevent small spaces of possible secrets and shares from being exhaustively searched. November 17, 2018 Practical Aspects of Modern Cryptography

Secret Sharing Homomorphisms All of these secret sharing methods have an additional useful feature: If two secrets are separately shared amongst the same set of people in the same way, then the sum of the individual shares constitute shares of the sum of the secrets. November 17, 2018 Practical Aspects of Modern Cryptography

Secret Sharing Homomorphisms OR Secret: 𝑎 – Shares: 𝑎, 𝑎, …, 𝑎 Secret: 𝑏 – Shares: 𝑏, 𝑏, …, 𝑏 Secret sum: 𝑎+𝑏 Share sums: 𝑎+𝑏, 𝑎+𝑏, …, 𝑎+𝑏 November 17, 2018 Practical Aspects of Modern Cryptography

Secret Sharing Homomorphisms AND Secret: 𝑎 – Shares: 𝑎1, 𝑎2, …, 𝑎𝑛 Secret: 𝑏 – Shares: 𝑏1, 𝑏2, …, 𝑏𝑛 Secret sum: 𝑎+𝑏 Share sums: 𝑎1+𝑏1, 𝑎2+𝑏2, …, 𝑎𝑛+𝑏𝑛 November 17, 2018 Practical Aspects of Modern Cryptography

Secret Sharing Homomorphisms THRESHOLD Secret: 𝑃 1 (0) – Shares: 𝑃 1 (1), 𝑃 1 (2), …, 𝑃 1 (𝑛) Secret: 𝑃 2 (0) – Shares: 𝑃 2 (1), 𝑃 2 (2), …, 𝑃 2 (𝑛) Secret sum: 𝑃 1 (0)+ 𝑃 2 (0) Share sums: 𝑃 1 (1)+ 𝑃 2 (1), 𝑃 1 (2)+ 𝑃 2 (2), …, 𝑃 1 (𝑛)+ 𝑃 2 (𝑛) November 17, 2018 Practical Aspects of Modern Cryptography

Threshold Encryption I want to encrypt a secret message 𝑀 for a set of 𝑛 recipients such that any 𝑘 of the 𝑛 recipients can uniquely decrypt the secret message 𝑀, but any set of fewer than 𝑘 recipients has no information whatsoever about the secret message 𝑀. November 17, 2018 Practical Aspects of Modern Cryptography

Recall Diffie-Hellman Alice Randomly select a large integer 𝑎 and send 𝐴= 𝑔 𝑎 mod 𝑝. Compute the key 𝐾= 𝐵 𝑎 mod 𝑝. Bob Randomly select a large integer 𝑏 and send 𝐵= 𝑔 𝑏 mod 𝑝. Compute the key 𝐾= 𝐴 𝑏 mod 𝑝. 𝐵 𝑎 = 𝑔 𝑏𝑎 = 𝑔 𝑎𝑏 = 𝐴 𝑏 November 17, 2018 Practical Aspects of Modern Cryptography

ElGamal Encryption November 17, 2018 Practical Aspects of Modern Cryptography

ElGamal Encryption Alice selects a large random private key 𝑎 and computes an associated public key 𝐴= 𝑔 𝑎 mod 𝑝. November 17, 2018 Practical Aspects of Modern Cryptography

ElGamal Encryption Alice selects a large random private key 𝑎 and computes an associated public key 𝐴= 𝑔 𝑎 mod 𝑝. To send a message 𝑀 to Alice, Bob selects a random value 𝑟 and computes the pair (𝑋,𝑌) = ( 𝐴 𝑟 𝑀 mod 𝑝, 𝑔 𝑟 mod 𝑝). November 17, 2018 Practical Aspects of Modern Cryptography

ElGamal Encryption Alice selects a large random private key 𝑎 and computes an associated public key 𝐴= 𝑔 𝑎 mod 𝑝. To send a message 𝑀 to Alice, Bob selects a random value 𝑟 and computes the pair (𝑋,𝑌) = ( 𝐴 𝑟 𝑀 mod 𝑝, 𝑔 𝑟 mod 𝑝). To decrypt, Alice computes 𝑋/ 𝑌 𝑎 mod 𝑝 = 𝐴 𝑟 𝑀/ 𝑔 𝑟𝑎 mod 𝑝 = 𝑀. November 17, 2018 Practical Aspects of Modern Cryptography

ElGamal Re-Encryption If 𝐴= 𝑔 𝑎 mod 𝑝 is a public key and the pair (𝑋,𝑌) = ( 𝐴 𝑟 𝑀 mod 𝑝, 𝑔 𝑟 mod 𝑝) is an encryption of message 𝑀, then for any value 𝑐, the pair ( 𝐴 𝑐 𝑋, 𝑔 𝑐 𝑌) = ( 𝐴 𝑐+𝑟 𝑀 mod 𝑝, 𝑔 𝑐+𝑟 mod 𝑝) is an encryption of the same message 𝑀, for any value 𝑐. November 17, 2018 Practical Aspects of Modern Cryptography

Group ElGamal Encryption November 17, 2018 Practical Aspects of Modern Cryptography

Group ElGamal Encryption Each recipient selects a large random private key 𝑎𝑖 and computes an associated public key 𝐴𝑖 = 𝑔 𝑎 𝑖 mod 𝑝. November 17, 2018 Practical Aspects of Modern Cryptography

Group ElGamal Encryption Each recipient selects a large random private key 𝑎𝑖 and computes an associated public key 𝐴𝑖 = 𝑔 𝑎 𝑖 mod 𝑝. The group key is 𝐴 = 𝐴 𝑖 mod 𝑝 = 𝑔 𝑎 𝑖 mod 𝑝. November 17, 2018 Practical Aspects of Modern Cryptography

Group ElGamal Encryption Each recipient selects a large random private key 𝑎𝑖 and computes an associated public key 𝐴𝑖 = 𝑔 𝑎 𝑖 mod 𝑝. The group key is 𝐴 = 𝐴 𝑖 mod 𝑝 = 𝑔 𝑎 𝑖 mod 𝑝. To send a message 𝑀 to the group, Bob selects a random value 𝑟 and computes the pair (𝑋,𝑌) = ( 𝐴 𝑟 𝑀 mod 𝑝, 𝑔 𝑟 mod 𝑝). November 17, 2018 Practical Aspects of Modern Cryptography

Group ElGamal Encryption Each recipient selects a large random private key 𝑎𝑖 and computes an associated public key 𝐴𝑖 = 𝑔 𝑎 𝑖 mod 𝑝. The group key is 𝐴 = 𝐴 𝑖 mod 𝑝 = 𝑔 𝑎 𝑖 mod 𝑝. To send a message 𝑀 to the group, Bob selects a random value 𝑟 and computes the pair (𝑋,𝑌) = ( 𝐴 𝑟 𝑀 mod 𝑝, 𝑔 𝑟 mod 𝑝). To decrypt, each group member computes 𝑌 𝑖 = 𝑌 𝑎 𝑖 mod 𝑝. The message 𝑀 = 𝑋/ 𝑌 𝑖 mod 𝑝. November 17, 2018 Practical Aspects of Modern Cryptography

Threshold Encryption (ElGamal) November 17, 2018 Practical Aspects of Modern Cryptography

Threshold Encryption (ElGamal) Each recipient selects 𝑘 large random secret coefficients 𝑎 𝑖,0 , 𝑎 𝑖,1 , …, 𝑎 𝑖,𝑘−2 , 𝑎 𝑖,𝑘−1 and forms the polynomial 𝑃 𝑖 𝑥 = 𝑎 𝑖,𝑘−1 𝑥 𝑘−1 + 𝑎 𝑖,𝑘−2 𝑥 𝑘−2 +⋯+ 𝑎 𝑖,1 𝑥+ 𝑎 𝑖,0 November 17, 2018 Practical Aspects of Modern Cryptography

Threshold Encryption (ElGamal) Each recipient selects 𝑘 large random secret coefficients 𝑎 𝑖,0 , 𝑎 𝑖,1 , …, 𝑎 𝑖,𝑘−2 , 𝑎 𝑖,𝑘−1 and forms the polynomial 𝑃 𝑖 𝑥 = 𝑎 𝑖,𝑘−1 𝑥 𝑘−1 + 𝑎 𝑖,𝑘−2 𝑥 𝑘−2 +⋯+ 𝑎 𝑖,1 𝑥+ 𝑎 𝑖,0 Each polynomial 𝑃 𝑖 (𝑥) is then verifiably shared with the other recipients by distributing each 𝑔 𝑎 𝑖,𝑗 . November 17, 2018 Practical Aspects of Modern Cryptography

Threshold Encryption (ElGamal) Each recipient selects 𝑘 large random secret coefficients 𝑎 𝑖,0 , 𝑎 𝑖,1 , …, 𝑎 𝑖,𝑘−2 , 𝑎 𝑖,𝑘−1 and forms the polynomial 𝑃 𝑖 𝑥 = 𝑎 𝑖,𝑘−1 𝑥 𝑘−1 + 𝑎 𝑖,𝑘−2 𝑥 𝑘−2 +⋯+ 𝑎 𝑖,1 𝑥+ 𝑎 𝑖,0 Each polynomial 𝑃 𝑖 (𝑥) is then verifiably shared with the other recipients by distributing each 𝑔 𝑎 𝑖,𝑗 . The joint (threshold) public key is 𝑔 𝑎 𝑖,0 . November 17, 2018 Practical Aspects of Modern Cryptography

Threshold Encryption (ElGamal) Each recipient selects 𝑘 large random secret coefficients 𝑎 𝑖,0 , 𝑎 𝑖,1 , …, 𝑎 𝑖,𝑘−2 , 𝑎 𝑖,𝑘−1 and forms the polynomial 𝑃 𝑖 𝑥 = 𝑎 𝑖,𝑘−1 𝑥 𝑘−1 + 𝑎 𝑖,𝑘−2 𝑥 𝑘−2 +⋯+ 𝑎 𝑖,1 𝑥+ 𝑎 𝑖,0 Each polynomial 𝑃 𝑖 (𝑥) is then verifiably shared with the other recipients by distributing each 𝑔 𝑎 𝑖,𝑗 . The joint (threshold) public key is 𝑔 𝑎 𝑖,0 . Any set of 𝑘 recipients can form the secret key 𝑎 𝑖,0 to decrypt. November 17, 2018 Practical Aspects of Modern Cryptography

Verifiable Elections Application November 17, 2018 Practical Aspects of Modern Cryptography

Traditional Voting Methods

Traditional Voting Methods Hand-Counted Paper

Traditional Voting Methods Hand-Counted Paper Punch Cards

Traditional Voting Methods Hand-Counted Paper Punch Cards Lever Machines

Traditional Voting Methods Hand-Counted Paper Punch Cards Lever Machines Optical Scan Ballots

Traditional Voting Methods Hand-Counted Paper Punch Cards Lever Machines Optical Scan Ballots Electronic Voting Machines

Traditional Voting Methods Hand-Counted Paper Punch Cards Lever Machines Optical Scan Ballots Electronic Voting Machines Touch-Screen Terminals

Traditional Voting Methods Hand-Counted Paper Punch Cards Lever Machines Optical Scan Ballots Electronic Voting Machines Touch-Screen Terminals Various Hybrids

Vulnerabilities and Trust All of these systems have substantial vulnerabilities. All of these systems require trust in the honesty and expertise of election officials (and usually the equipment vendors as well). Can we do better?

The Voter’s Perspective

The Voter’s Perspective

The Voter’s Perspective

The Voter’s Perspective

The Voter’s Perspective

The Voter’s Perspective

The Voter’s Perspective

The Voter’s Perspective

The Voter’s Perspective

The Voter’s Perspective

The Voter’s Perspective

The Voter’s Perspective

The Voter’s Perspective As a voter, you don’t really know what happens behind the curtain. You have no choice but to trust the people working behind the curtain. You don’t even get to choose the people who you will have to trust.

We Can Do Better! Elections can be run such that each and every voter can verify the correctness of the tally without having to trust anyone or anything!

Verifiable Election Technologies Allow voters to track their individual (sealed) votes and ensure that they are properly counted… … even in the presence of faulty or malicious election equipment … … and/or careless or dishonest election personnel.

Voters can check that … Their own (sealed) votes have been properly recorded. All recorded votes have been properly counted. This is not just checking a claim that the right steps have been taken. This is actually a check that the counting is correct.

End-to-End Verifiability E2E-verifiability is not a property of an election system … It is a property of an individual election.

End-to-End Verifiability E2E-verifiable elections can be produced by … Paper-based or Electronic systems Local or Remote systems Monitored or Unmonitored systems

E2E-Verifiability Replaces Trust In an E2E-verifiable election, the integrity of tallies can be verified entirely without trust. Voters and observers can verify everything themselves. They don’t need to trust election officials, equipment, vendors, or anyone.

An E2E-Verifiable Election

An E2E-Verifiable Election Voter Name Vote Alice Smith Jefferson Bob Williams Adams Carol James David Fuentes Ellen Chu Totals Jefferson 3 Adams 2

But wait … This isn’t a secret-ballot election. Quite true, but it’s enough to show that voter-verifiability is possible … and also to falsify arguments that electronic elections are inherently untrustworthy.

Privacy The only ingredient missing from this transparent election is privacy – and the things which flow from privacy (e.g. protection from coercion). Performing tasks while preserving privacy is the bailiwick of cryptography. Cryptographic techniques can enable E2E-verifiable elections while preserving voter privacy.

Secure Multiparty Computation General cryptographic techniques can compute any function on private inputs. Does not apply to elections because voters should not be able to reveal their votes – even if they want to do so.

Adding Encryption A layer of confidentiality can be added to an otherwise openly-verifiable system using homomoprhic encyption in which the product of ciphertexts constitutes an encryption of the sum of the corresponding plaintexts.

An E2E-Verifiable Election Voter Name Vote Alice Smith Jefferson Bob Williams Adams Carol James David Fuentes Ellen Chu Totals Jefferson 3 Adams 2

An E2E-Verifiable Election Voter Name Vote Alice Smith Jefferson X37BM6YPM Bob Williams Adams 2J8CNF2KQ Carol James VRSF5JQWZ David Fuentes MW5B2VA7Y Ellen Chu 8VPPS2L39 Totals Jefferson 3 Adams 2

An E2E-Verifiable Election Voter Name Vote Alice Smith Jefferson X37BM6YPM Bob Williams Adams 2J8CNF2KQ Carol James VRSF5JQWZ David Fuentes MW5B2VA7Y Ellen Chu 8VPPS2L39 Totals Jefferson 3 Adams 2

An E2E-Verifiable Election Voter Name Vote Alice Smith Jefferson X37BM6YPM Bob Williams Adams 2J8CNF2KQ Carol James VRSF5JQWZ David Fuentes MW5B2VA7Y Ellen Chu 8VPPS2L39 Totals Jefferson 3 Adams 2

An E2E-Verifiable Election X37BM6YPM 2J8CNF2KQ VRSF5JQWZ MW5B2VA7Y 8VPPS2L39 Totals Jefferson 3 Adams 2

An E2E-Verifiable Election X37BM6YPM 2J8CNF2KQ VRSF5JQWZ MW5B2VA7Y 8VPPS2L39 Mathematical Proof Totals Jefferson 3 Adams 2

End-to-End Verifiable Elections Two principle phases … Voters publish their names and encrypted votes. Administrators compute and publish the tally together with a cryptographic proof that the tally “matches” the set of encrypted votes.

Fundamental Tallying Decision There are essentially two paradigms to choose from … Anonymized Ballots (Mix Networks) Ballotless Tallying (Homomorphic Encryption)

Anonymized Ballots

Homomorphic Tallying

Homomorphic Encryption With RSA encryption, 𝑍 1 =𝐸( 𝑋 1 )= 𝑋 1 𝑌 𝑍 2 =𝐸( 𝑋 2 )= 𝑋 2 𝑌 𝑍 1 × 𝑍 2 =𝐸 𝑋 1 ×𝐸 𝑋 2 = 𝑋 1 𝑌 × 𝑋 2 𝑌 = 𝑋 1 × 𝑋 2 𝑌 =𝐸( 𝑋 1 × 𝑋 2 ) RSA is multiplicatively homomorpic.

Homomorphic Encryption With another encryption function, 𝑍 1 =𝐸( 𝑋 1 )= 𝑔 𝑋 1 𝑍 2 =𝐸( 𝑋 2 )= 𝑔 𝑋 2 𝑍 1 × 𝑍 2 =𝐸( 𝑋 1 )×𝐸( 𝑋 2 )= 𝑔 𝑋 1 × 𝑔 𝑋 2 = 𝑔 𝑋 1 + 𝑋 2 =𝐸( 𝑋 1 + 𝑋 2 ) This function is additively homomorpic.

In Elections … 𝑍 1 = E(Vote #1) 𝑍 2 = E(Vote #2) ⋮ 𝑍 𝑘 = E(Vote #𝑘) The product of the encryptions of the votes is an encryption of the sum of the votes.

Homomorphic Encryption Some Homomorphic Functions RSA: E(m) = me mod n ElGamal: E(m,r) = (gr,mhr) mod p GM: E(b,r) = r2gb mod n Benaloh: E(m,r) = regm mod n Pallier: E(m,r) = rngm mod n2

0, 1, 0, 0; 1, 0; 0, 0, 0 A Valid Vote First Race Second Race 0, 1, 0, 0; 1, 0; 0, 0, 0 First Race Second Race Third Race Second Option Fourth Option First Option Third Option

Homomorphic Elections Alice 0, 1, 0, 0; 1, 0; 0, 0, 0 Bob 0, 0, 0, 1; 1, 0; 0, 1, 0 Carol 0, 0, 1, 0; 0, 1; 1, 0, 0 David 0, 1, 0, 0; 1, 0; 0, 0, 1 Eve 0, 0, 1, 0; 0, 1; 0, 0, 1

Homomorphic Elections Alice 0, 1, 0, 0; 1, 0; 0, 0, 0 Bob 0, 0, 0, 1; 1, 0; 0, 1, 0 Carol 0, 0, 1, 0; 0, 1; 1, 0, 0 David 0, 1, 0, 0; 1, 0; 0, 0, 1 Eve 0, 0, 1, 0; 0, 1; 0, 0, 1  = 0, 2, 2, 1; 3, 2; 1, 1, 2

Homomorphic Elections Alice 0, 1, 0, 0; 1, 0; 0, 0, 0 Bob 0, 0, 0, 1; 1, 0; 0, 1, 0 Carol 0, 0, 1, 0; 0, 1; 1, 0, 0 David 0, 1, 0, 0; 1, 0; 0, 0, 1 Eve 0, 0, 1, 0; 0, 1; 0, 0, 1

Homomorphic Elections Alice 0, 1, 0, 0; 1, 0; 0, 0, 0 Bob 0, 0, 0, 1; 1, 0; 0, 1, 0 Carol 0, 0, 1, 0; 0, 1; 1, 0, 0 David 0, 1, 0, 0; 1, 0; 0, 0, 1 Eve 0, 0, 1, 0; 0, 1; 0, 0, 1

Homomorphic Elections Alice 0, 1, 0, 0; 1, 0; 0, 0, 0 Bob 0, 0, 0, 1; 1, 0; 0, 1, 0 Carol 0, 0, 1, 0; 0, 1; 1, 0, 0 David 0, 1, 0, 0; 1, 0; 0, 0, 1 Eve 0, 0, 1, 0; 0, 1; 0, 0, 1  = 0, 2, 2, 1; 3, 2; 1, 1, 2

Homomorphic Elections Alice 0, 1, 0, 0; 1, 0; 0, 0, 0 Bob 0, 0, 0, 1; 1, 0; 0, 1, 0 Carol 0, 0, 1, 0; 0, 1; 1, 0, 0 David 0, 1, 0, 0; 1, 0; 0, 0, 1 Eve 0, 0, 1, 0; 0, 1; 0, 0, 1  = 0, 2, 2, 1; 3, 2; 1, 1, 2

Homomorphic Elections Alice 0, 1, 0, 0; 1, 0; 0, 0, 0 Bob 0, 0, 0, 1; 1, 0; 0, 1, 0 Carol 0, 0, 1, 0; 0, 1; 1, 0, 0 David 0, 1, 0, 0; 1, 0; 0, 0, 1 Eve 0, 0, 1, 0; 0, 1; 0, 0, 1  = 0, 2, 2, 1; 3, 2; 1, 1, 2

Homomorphic Elections Alice 0, 1, 0, 0; 1, 0; 0, 0, 0 Bob 0, 0, 0, 1; 1, 0; 0, 1, 0 Carol 0, 0, 1, 0; 0, 1; 1, 0, 0 David 0, 1, 0, 0; 1, 0; 0, 0, 1 Eve 0, 0, 1, 0; 0, 1; 0, 0, 1  = 0, 2, 2, 1; 3, 2; 1, 1, 2

Homomorphic Elections Alice Bob Carol 1 David Eve  =

Homomorphic Elections Alice Bob Carol 1 David Eve  = 2

Homomorphic Elections Alice Bob Carol 1 David Eve

Homomorphic Elections Alice Bob Carol 1 David Eve

Homomorphic Elections Alice Bob Carol 1 David Eve = 2

Homomorphic Elections Alice Bob Carol 1 David Eve = 2

Homomorphic Elections Alice Bob Carol 1 David Eve = 2

Multiple Authorities Alice Bob Carol 1 David Eve

Multiple Authorities X1 X2 X3 Alice =  3 -5 2 Bob -4 5 -1 Carol 1 -3 =  3 -5 2 Bob -4 5 -1 Carol 1 -3 David -2 Eve 4

Multiple Authorities  = X1 X2 X3 Alice =  3 -5 2 Bob -4 5 -1 Carol 1 =  3 -5 2 Bob -4 5 -1 Carol 1 -3 David -2 Eve 4  =

Multiple Authorities  = X1 X2 X3 Alice =  3 -5 2 Bob -4 5 -1 Carol 1 =  3 -5 2 Bob -4 5 -1 Carol 1 -3 David -2 Eve 4  =

Multiple Authorities  = X1 X2 X3 Alice =  3 -5 2 Bob -4 5 -1 Carol 1 =  3 -5 2 Bob -4 5 -1 Carol 1 -3 David -2 Eve 4  =

Multiple Authorities  = X1 X2 X3 Alice =  3 -5 2 Bob -4 5 -1 Carol 1 =  3 -5 2 Bob -4 5 -1 Carol 1 -3 David -2 Eve 4  =

Multiple Authorities  = X1 X2 X3 Alice =  3 -5 2 Bob -4 5 -1 Carol 1 =  3 -5 2 Bob -4 5 -1 Carol 1 -3 David -2 Eve 4  =

Multiple Authorities The sum of the shares of the votes constitute shares of the sum of the votes.

Multiple Authorities  = X1 X2 X3 Alice =  3 -5 2 Bob -4 5 -1 Carol 1 =  3 -5 2 Bob -4 5 -1 Carol 1 -3 David -2 Eve 4  =

Multiple Authorities X1 X2 X3 Alice 3 -5 2 Bob -4 5 -1 Carol 1 -3 3 -5 2 Bob -4 5 -1 Carol 1 -3 David -2 Eve 4

Multiple Authorities  = X1 X2 X3 Alice 3 -5 2 Bob -4 5 -1 Carol 1 -3 3 -5 2 Bob -4 5 -1 Carol 1 -3 David -2 Eve 4  =

Multiple Authorities  = X1 X2 X3 Alice 3 -5 2 Bob -4 5 -1 Carol 1 -3 3 -5 2 Bob -4 5 -1 Carol 1 -3 David -2 Eve 4  =

Multiple Authorities  = X1 X2 X3 Alice 3 -5 2 Bob -4 5 -1 Carol 1 -3 3 -5 2 Bob -4 5 -1 Carol 1 -3 David -2 Eve 4  =

Multiple Authorities  = X1 X2 X3 Alice 3 -5 2 Bob -4 5 -1 Carol 1 -3 3 -5 2 Bob -4 5 -1 Carol 1 -3 David -2 Eve 4  = = 

Multiple Authorities  = X1 X2 X3 Alice 3 -5 2 Bob -4 5 -1 Carol 1 -3 3 -5 2 Bob -4 5 -1 Carol 1 -3 David -2 Eve 4  = = 

Adding Robustness Splitting a vote by addition is equivalent to 𝑛 out of 𝑛 secret sharing. One could instead share a vote using a threshold scheme to achieve 𝑘 out of 𝑛 system. One can also use an additively-homomorphic threshold encryption scheme directly.

Mix-Based Elections

Mix-Based Elections Shuffle the encrypted ballots by transforming each into a different representation of the same ballot and then permuting the full set.

Mix-Based Elections Alice 0, 1, 0, 0; 1, 0; 0, 0, 0

Mix-Based Elections Alice 0, 1, 0, 0; 1, 0; 0, 0, 0

Mix-Based Elections Alice 0, 1, 0, 0; 1, 0; 0, 0, 0 Null 0, 1, 0, 0; 1, 0; 0, 0, 0 Null 0, 0, 0, 0; 0, 0; 0, 0, 0

Mix-Based Elections Alice 0, 1, 0, 0; 1, 0; 0, 0, 0 Null 0, 1, 0, 0; 1, 0; 0, 0, 0 Null 0, 0, 0, 0; 0, 0; 0, 0, 0

Mix-Based Elections Alice 0, 1, 0, 0; 1, 0; 0, 0, 0 Null 0, 1, 0, 0; 1, 0; 0, 0, 0 Null 0, 0, 0, 0; 0, 0; 0, 0, 0  =

Mix-Based Elections Each shuffler proves that its output set is a permutation of different encryptions of its input set. After a sufficient number of shuffles, the individual ballots can be opened.

The Mix-Net Paradigm MIX Vote Vote Vote Vote

The Mix-Net Paradigm MIX Vote Vote Vote Vote

Multiple Mixes  MIX MIX Vote   Vote    Vote    Vote   

Decryption Mix-net Each object is encrypted with a pre-determined set of encryption layers. Each mix, in pre-determined order performs a decryption to remove its associated layer.

Re-encryption Mix-net The decryption and shuffling functions are decoupled. Mixes can be added or removed dynamically with robustness. Proofs of correct mixing can be published and independently verified.

Recall Homomorphic Encryption We can construct a public-key encryption function E such that if A is an encryption of a and B is an encryption of b then AB is an encryption of ab.

Re-encryption (additive) A is an encryption of a and Z is an encryption of 0 then AZ is another encryption of a.

Re-encryption (multiplicative) A is an encryption of a and I is an encryption of 1 then AI is another encryption of a.

A Re-encryption Mix MIX

A Re-encryption Mix MIX

Re-encryption Mix-nets Vote Vote Vote Vote

Verifiability Each re-encryption mix provides a mathematical proof that its output is a permutation of re-encryptions of its input. Any observer can verify this proof. The decryptions are also proven to be correct. If a mix’s proof is invalid, its mixing will be bypassed.

Faulty Mixes MIX MIX Vote Vote Vote Vote

Some Verifiable Mixes 1993 Park, Itoh, and Kurosawa 1995 Sako and Kilian 2001 Furukawa and Sako 2001 Neff 2002 Jakobsson, Juels, and Rivest 2003 Groth

Who has the Keys? A pre-determined set of parties independently generate and share the encryption (and decryption) keys used in the election. A pre-determined threshold of key holders is required to decrypt.

Who has the Keys? Important If a sufficient number of key holders collude, they can compromise voter privacy. But even if all key holders collude, they cannot compromise the integrity of the tallies.

Re-encryption Each value is re-encrypted by multiplying it by an encryption of one. This can be done without knowing the decryptions.

Verifying a Re-encryption MIX 31415926 27182818 31415926 16180339 14142135 81828172 62951413 93308161 53124141 27182818 16180339 14142135

A Simple Verifiable Re-encryption Mix

Is This “Proof” Absolute? The proof can be “defeated” if and only if every left/right decision can be predicted by the prover in advance. If there are 100 intermediate ballot sets, the chance of this happening is 1 in 2100.

Who Chooses? But this won’t convince me. But this can be inefficient. If you choose, then you are convinced. But this won’t convince me. We can each make some of the choices. But this can be inefficient. We can co-operate on the choices. But this is cumbersome. We can agree on a random source. But what source?

Who Chooses? The Fiat-Shamir Heuristic Prepare all of the ballot sets as above. Put all of the data into a one-way hash. Use the hash output to make the choices. This allows a proof of equivalence to be “published” by the mix.

Assumptions A disadvantage of using Fiat-Shamir is that election integrity now requires a computational assumption – the assumption that the hash is “secure”. Voter privacy depends upon the quality of the encryption.

The Encryption Anyone with the decryption key can read all of the votes – even before mixing. A threshold encryption scheme is used to distribute the decryption capabilities.

Randomized Partial Checking MIX

Choose Any Two Computationally Efficient Conceptually Simple Exact We have techniques to make verifiable tallying … Computationally Efficient Conceptually Simple Exact

How Can Humans Verify Votes? VRSF5JQWZ = Adams ?

How do Humans Encrypt? If voters encrypt their votes with devices of their own choosing, they are subject to coercion and compromise. If voters encrypt their votes on “official” devices, how can they trust that their intentions have been properly captured?

The Human Encryptor We need to find ways to engage humans in an interactive proof process to ensure that their intentions are accurately reflected in encrypted ballots cast on their behalf.

MarkPledge Ballot Alice Bob Carol David Eve 367 248 792 141 390 863 427 015 Bob 629 523 916 504 129 077 476 947 Carol 285 668 049 732 859 308 156 422 David Eve 264 717 740 317 832 399 441 946

MarkPledge Ballot Alice Bob Carol David Eve 367 248 792 141 390 863 427 015 Bob 629 523 916 504 129 077 476 947 Carol 285 668 049 732 859 308 156 422 David Eve 264 717 740 317 832 399 441 946

MarkPledge Ballot Alice Bob Carol David Eve 367 248 792 141 390 863 427 015 Bob 629 523 916 504 129 077 476 947 Carol 285 668 049 732 859 308 156 422 David Eve 264 717 740 317 832 399 441 946 Device commitment to voter: “You’re candidate’s number is 863.”

MarkPledge Ballot Alice Bob Carol David Eve 367 248 792 141 390 863 427 015 Bob 629 523 916 504 129 077 476 947 Carol 285 668 049 732 859 308 156 422 David Eve 264 717 740 317 832 399 441 946 Device commitment to voter: “You’re candidate’s number is 863.” Voter challenge: “Decrypt column number 5.”

MarkPledge Ballot Alice Bob Carol David Eve 367 248 792 141 390 863 427 015 Bob 629 523 916 504 129 077 476 947 Carol 285 668 049 732 859 308 156 422 David Eve 264 717 740 317 832 399 441 946 Device commitment to voter: “You’re candidate’s number is 863.” Voter challenge: “Decrypt column number 5.”

MarkPledge Ballot Alice Bob Carol David Eve 367 248 792 141 390 863 427 015 Bob 629 523 916 504 129 077 476 947 Carol 285 668 049 732 859 308 156 422 David Eve 264 717 740 317 832 399 441 946

Prêt à Voter Ballot Bob Eve Carol Alice David 17320508

Prêt à Voter Ballot Bob Eve Carol Alice X David 17320508

Prêt à Voter Ballot X 17320508

PunchScan Ballot Y – Alice X – Bob #001 X Y

PunchScan Ballot Y – Alice X – Bob #001 Y X

PunchScan Ballot X – Alice Y – Bob #001 Y X

PunchScan Ballot X – Alice Y – Bob #001 Y X

PunchScan Ballot X – Alice Y – Bob #001 #001 Y X

Scantegrity

Voter-Initiated Auditing Voter can use “any” device to make selections (touch-screen DRE, OpScan, etc.) After selections are made, voter receives an encrypted receipt of the ballot.

Voter-Initiated Auditing Voter choice: Cast or Spoil 734922031382 Encrypted Vote

Voter-Initiated Auditing Cast 734922031382 Encrypted Vote

Voter-Initiated Auditing Spoil Vote for Alice Random # is 28637582738 734922031382

A Verifiable Election Record Cast Ballots X37BM6YPM 2J8CNF2KQ VRSF5JQWZ MW5B2VA7Y 8VPPS2L39 Spoiled Ballots 36PWY4MMB Jefferson 8QZ4TY2B7 Adams GX39M6P4Y Mathematical Proof Totals Jefferson 3 Adams 2

A Verifiable Election Record Cast Ballots X37BM6YPM 2J8CNF2KQ VRSF5JQWZ MW5B2VA7Y 8VPPS2L39 Mathematical Proof Totals Jefferson 3 Adams 2

A Verifiable Election Record Cast Ballots X37BM6YPM 2J8CNF2KQ VRSF5JQWZ MW5B2VA7Y 8VPPS2L39 Totals Jefferson 3 Adams 2

A Verifiable Election Record Cast Ballots Adams Jefferson X37BM6YPM 1 2J8CNF2KQ VRSF5JQWZ MW5B2VA7Y 8VPPS2L39 Totals Jefferson 3 Adams 2

A Verifiable Election Record Cast Ballots Adams Jefferson X37BM6YPM 1 2J8CNF2KQ VRSF5JQWZ MW5B2VA7Y 8VPPS2L39 Totals Jefferson 3 Adams 2

A Verifiable Election Record Cast Ballots Adams Jefferson X37BM6YPM 1 2J8CNF2KQ VRSF5JQWZ MW5B2VA7Y 8VPPS2L39 Totals Jefferson 3 Adams 2

A Verifiable Election Record Cast Ballots Adams Jefferson X37BM6YPM 1 2J8CNF2KQ VRSF5JQWZ MW5B2VA7Y 8VPPS2L39  Totals Jefferson 3 Adams 2

A Verifiable Election Record Cast Ballots Adams Jefferson X37BM6YPM 1 2J8CNF2KQ VRSF5JQWZ MW5B2VA7Y 8VPPS2L39  CM97JQX4D Totals Jefferson 3 Adams 2

A Verifiable Election Record Cast Ballots Adams Jefferson X37BM6YPM 1 2J8CNF2KQ VRSF5JQWZ MW5B2VA7Y 8VPPS2L39  + CM97JQX4D Totals Jefferson 3 Adams 2

A Verifiable Election Record Cast Ballots Adams Jefferson X37BM6YPM 1 2J8CNF2KQ VRSF5JQWZ MW5B2VA7Y 8VPPS2L39  + CM97JQX4D 2 3 Totals Jefferson 3 Adams 2

A Verifiable Election Record Cast Ballots Adams Jefferson X37BM6YPM 1 2J8CNF2KQ VRSF5JQWZ MW5B2VA7Y 8VPPS2L39  + CM97JQX4D 2 3 Totals Jefferson 3 Adams 2

A Verifiable Election Record Cast Ballots Adams Jefferson X37BM6YPM 1 2J8CNF2KQ VRSF5JQWZ MW5B2VA7Y 8VPPS2L39  + CM97JQX4D 2 3 Totals Jefferson 3 Adams 2

A Verifiable Election Record Cast Ballots Adams Jefferson X37BM6YPM 1 2J8CNF2KQ VRSF5JQWZ MW5B2VA7Y 8VPPS2L39  + CM97JQX4D 2 3 Spoiled Ballots 36PWY4MMB Jefferson 8QZ4TY2B7 Adams GX39M6P4Y Totals Jefferson 3 Adams 2

A Verifiable Election Record Cast Ballots Adams Jefferson X37BM6YPM 1 2J8CNF2KQ VRSF5JQWZ MW5B2VA7Y 8VPPS2L39  + CM97JQX4D 2 3 Spoiled Ballots 36PWY4MMB Jefferson 8QZ4TY2B7 Adams GX39M6P4Y Totals Jefferson 3 Adams 2

An unexpected benefit …

Provisional Ballots Common practice is to release preliminaries tallies that exclude provisional ballots. Provisional ballots that are adjuciated as proper are added to the tallies.

Provisional Ballot Privacy Privacy is substantially diminished for provisional ballots. End-to-end methods can restore this privacy by initially counting all provisional ballots and then selectively removing ballots that are subsequently deemed illegitimate.

A Verifiable Election Record Cast Ballots Adams Jefferson X37BM6YPM 1 2J8CNF2KQ VRSF5JQWZ MW5B2VA7Y 8VPPS2L39  + CM97JQX4D 2 3 Spoiled Ballots 36PWY4MMB Jefferson 8QZ4TY2B7 Adams GX39M6P4Y Totals Jefferson 3 Adams 2

A Verifiable Election Record Cast Ballots Adams Jefferson X37BM6YPM 1 2J8CNF2KQ VRSF5JQWZ MW5B2VA7Y 8VPPS2L39  + CM97JQX4D 2 3 Spoiled Ballots 36PWY4MMB Jefferson 8QZ4TY2B7 Adams GX39M6P4Y Totals Jefferson 3 Adams 2

A Verifiable Election Record Cast Ballots Adams Jefferson X37BM6YPM 1 2J8CNF2KQ VRSF5JQWZ MW5B2VA7Y 8VPPS2L39  + CM97JQX4D 2 3 Spoiled Ballots 36PWY4MMB Jefferson 8QZ4TY2B7 Adams GX39M6P4Y Totals Jefferson 3 Adams 2

Benefits of E2E-Verifiability Strong public assurance of election integrity Elimination of trust requirements Certification relief

The Voter’s Perspective Verifiable election systems can be built to look exactly like current systems … … with one addition …

A Verifiable Receipt 7A34ZR9K4BX Precinct 37 – Machine 4 Nov. 6, 2012 1:39PM Vote receipt tag: 7A34ZR9K4BX ***VOTE COMFIRMED***

The Voter’s Perspective Voters can … Use receipts to check their results are properly recorded on a public web site. Throw their receipts in the trash. Write and use their own election verifiers. Download applications from sources of their choice to verify the mathematical proof of the tally. Believe verifications done by their political parties, LWV, ACLU, etc. Accept the results without question.

Travis County, Texas

Travis County, Texas Population (2010 Census): 1,024,266

Travis County Requirements Hand-marked paper is unwieldy and ambiguous. Many voters and activists want paper records. Sweet spot: Electronic ballot-marking devices produce marked paper ballot summaries.

STAR-Vote Electronic ballot-marking devices Full paper-ballot records Full verifiability Privacy-preserving risk-limiting auditing Tight coordination/agreement between tallies

Voter Sign-in

Receive Token Enter code: 7126

Electronic Ballot-Marking Device

Ballot Summary and Receipt President: Alice Vice-President: Bob Treasurer: Carol Secretary: David _____________________ Ballot #: 32496 ---------------------------------- Vote receipt tag: 7A34ZR9K4BX

Ballot Summary and Receipt President: Alice Vice-President: Bob Treasurer: Carol Secretary: David _____________________ Ballot #: 32496 ---------------------------------- Vote receipt tag: 7A34ZR9K4BX Cleartext Selections 

Ballot Summary and Receipt President: Alice Vice-President: Bob Treasurer: Carol Secretary: David _____________________ Ballot #: 32496 ---------------------------------- Vote receipt tag: 7A34ZR9K4BX Cleartext Selections  Ballot ID 

Ballot Summary and Receipt President: Alice Vice-President: Bob Treasurer: Carol Secretary: David _____________________ Ballot #: 32496 ---------------------------------- Vote receipt tag: 7A34ZR9K4BX Cleartext Selections  Ballot ID  Voter Receipt 

Voter Tasks Remove voter receipt (this could also be provided to the voter on a separate slip),

Ballot Summary and Receipt President: Alice Vice-President: Bob Treasurer: Carol Secretary: David _____________________ Ballot #: 32496 ---------------------------------- Vote receipt tag: 7A34ZR9K4BX Cleartext Selections  Ballot ID  Voter Receipt 

Ballot Summary and Receipt President: Alice Vice-President: Bob Treasurer: Carol Secretary: David _____________________ Ballot #: 32496 Cleartext Selections  Ballot ID 

Voter Tasks Two Options: CAST or SPOIL

CAST Option

CAST Option A voter casts a ballot by depositing it in the ballot box. A scanner in the ballot box reads and records the Ballot ID. A ballot is NOT considered cast until it is deposited in the ballot box.

SPOIL Option

SPOIL Option A voter can take a completed ballot paper to a poll worker and exchange it for a new voting token. The voter can retain the original receipt and a copy (or perhaps even original) of the spoiled paper ballot. Any other ballots are considered unvoted.

Ballot Processing Ballot-marking devices retain encrypted versions of all ballots produced. All encrypted ballots are posted together with their corresponding receipts. Verifiably-opened spoiled ballots are also posted.

Full Verification Voters can check that their receipts are correctly posted. Voters can check that their spoiled ballots are decrypted as expected. Anyone can verify the accuracy of the tallies and spoiled ballot decryptions.

Real-World Deployments Helios (www.heliosvoting.org) – Adida and others Used to elect president of UC Louvain, Belgium. Used in Princeton University student government. Used to elect IACR Board of Directors. Scantegrity II (www.scantegrity.org) – Chaum, Rivest, many others Used for 2009 & 2011 municipal elections in Takoma Park, MD. STAR-Vote – Benaloh, Byrne, Eakin, Kortum, McBurnett, Pereira, Stark, Wallach Designed for use in Travis County, Texas.

What’s Next? Internet Voting? Some jurisdictions are beginning to explore Internet voting. There is a strong push towards IV from a variety of constituencies.